Monday, February 25, 2008

The Problem

Today is Monday. In addition to a morning coffee I got to start off the week with a pretty angry error when I tried to log in to the domain this morning. It looked a whole lot like:

Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.

Now lucky for me I actually have multiple machines and was still able to log in via another computer and start to troubleshoot this Monday special.

I decided to log in to my machine under a local administrator account account and look in the event log, sure enough I found some errors in the System category.

Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 3210 Date: 2/25/2008 Time: 12:06:33 PM User: N/A Computer: W2K3-TYLER-VIRT Description: This computer could not authenticate with \\[DC].[DOMAINNAME].com, a Windows domain controller for domain [DOMAINNAME], and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

Even more fortunate for me is that I have Domain Administrator credentials and have the ability to log in to the domain controller and poke around a bit. On the server there was this error in the event log.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I didn't really find a KB article that really fixed this nicely (which is why I'm writing this in the first place). I did however get a high level explanation of what was going on through various forums, KB's, blogs, etc...

The Explanation (attempt)

Windows clients have what's called a Secure Channel to the domain controller. It uses this to communicate with the domain controller. There is an account and a credential associated with this Secure Channel and stored on your machine AND on the domain controller. On some interval (30 days is what I found on the web) these credentials change. The domain controller also caches the OLD credential for some amount of time while it tries to propagate the new credential to your machine account. If they are changed on the domain controller and for some reason or another do not propagate to your machine then you're in trouble and you can have the error that I was getting.

You could also get this error if you have multiple machines with the same SID on the same domain or if you've been messing with the NETDOM utility in an unhealthy way.

The Fix

I was able to fix this by:

Leaving the domain on my client machine. To do this, log in with a local administrator account, open up the System Properties->Computer Name->Change, and then join some fake workgroup to leave the domain. Restart your machine.

About Me

Tyler Holmes is a Solutions Architect working in Portland, Oregon. He lives mostly in the MS tech stack and is currently treading the waters of Communication/Collaboration and Business Intelligence with off the shelf/open source technologies.